From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of /var/ipfire Date: Fri, 07 Jun 2024 18:24:13 +0200 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4404513277861058628==" List-Id: --===============4404513277861058628== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, On 07/06/2024 18:03, Michael Tremer wrote: > Hello, >=20 > No, you are right. This does not work. >=20 > I submitted a new patch does solves this in a more boring, but functioning = way. >=20 > https://patchwork.ipfire.org/project/ipfire/patch/20240607160107.3478827= -1-michael.tremer(a)ipfire.org/ >=20 > I tried to send this patch as a reply to this thread, but weirdly this does= n=E2=80=99t seem to work for me. I saw the patch submission so I will try and test it out and hopefully=20 confirm that everything then works fine. Regards, Adolf. >=20 > Best, > -Michael >=20 >> On 7 Jun 2024, at 09:22, Adolf Belka wrote: >> >> Hi Michael, >> >> Any comments on my feedback, did I make some errors or were there some iss= ues with the code not working as intended? It sounded like you wanted to get = any fix from this added into CU186 which would mean giving it some good testi= ng, which I am willing and available to do. >> >> Regards, >> >> Adolf. >> >> On 05/06/2024 13:52, Adolf Belka wrote: >>> I re-did the vm build and first did a restore of my system so I could acc= ess the logs via ssh. >>> >>> Then I cleared the x509 system and cleared the error_log and then ran the= x509 create and the following is the output in the error_log file >>> >>> ...+.......+..+....+..+.......+..+.+...+.........+..................+....= ....+.......+...+.....+.+.....+.........+....+..+...+..........+..+.........+= .........+............+....+..+.......+......+..+++++++++++++++++++++++++++++= ++++++++++++++++*.+.........+...+...............+........+....+++++++++++++++= ++++++++++++++++++++++++++++++*...+...............+...+....+..............+.+= ......+.....+....+........+...+.........................+....................= +....+......+........+.........+......+......+...+..........+..+.+..+......+.= ...+......+.........+...+.........+.....+..........+...+........+............= +............+......+...+.......+............+..+.........+..................= .........+............+...............+.+............+.....+...+......+.+....= ....+......+...............+.+..............+................+..+.+..........= .+.+..+......+++++ >>> ..+.+........+..........+..+.+........+.+.....+.+.....+....+...+...+.....= .........+.........+.......+..+...+.........+....+......+........+.+..+...+..= ..+..+...............+...+...+...+......+.+++++++++++++++++++++++++++++++++++= ++++++++++*..+..+...+.+.........+........+..........+..+.+..+....+...+..+.+..= +.......+.....+......+...+.+..............+.......+...+.....+............+...= .........+.+......+...+.....+.+..+...+....+..+.........+...............+.+...= +..+...+++++++++++++++++++++++++++++++++++++++++++++*.......+................= ....+....+..............+.+.....+.+...+..+...+......+.+.........+.........+..= ....+..............+...............+.........+.............+..+.......+......= ...+..............+.+..+.........+...+.+.....+..........+..+...+......+....+.= ...........+........+.+.................................+......+......+......= ..+...............+......+.........+.............+..+.+.........+..+.........= .+...........+...+......+...+.........................+.....+...............+= .+............+...+..+.......+.....+......+......+...............+...........= ........+......+......+..+...+.........+.........................+...+..+....= ..+...+...............+.......+...+......+...+..+.........+....+.....+.......= ...+...+..+...............+......+......+...+..................+.......+.....= ..........+......+..+............+...+...+....+...+.........+.....+..........= +...+..+.........+.......+............+.....+..........+..+......+....+......= ..................+.....+......+...+..........+...+.....+....+......+........= +.......+..+...+............+......+....+...+............+..+....+...........= +...+......+.+.....+..........+..........................+............+.+..+.= ..+.........+.................................+....+..............+....+...+.= .............+......+.......+..+................+...+.....+.+........+.......= .....+.............+...............+......+..+.......+...+.....+.......+++++ >>> ----- >>> You are about to be asked to enter information that will be incorporated >>> into your certificate request. >>> What you are about to enter is what is called a Distinguished Name or a D= N. >>> There are quite a few fields but you can leave some blank >>> For some fields there will be a default value, >>> If you enter '.', the field will be left blank. >>> ----- >>> Country Name (2 letter code) [DE]:State or Province Name (full name) []:L= ocality Name (eg, city) []:Organization Name (eg, company) [IPFire]:Organizat= ional Unit Name (eg, section) []:Common Name (eg, your name or your server's = hostname) []:Email Address []:Error checking request extension section server >>> >>> So you can see explicitly what it came back with. >>> >>> Regards, >>> >>> Adolf >>> >>> >>> On 05/06/2024 13:33, Adolf Belka wrote: >>>> Hi All, >>>> >>>> I should have also added to the end of this message that patches 1 and 3= were applied, as far as I could tell as per the patch. >>>> >>>> I then installed the built iso into a vm machine and ran the x509 instal= l and got the root certificate and no host certificate with the standard open= ssl error message. >>>> >>>> In the httpd/error_log file it had the following message >>>> >>>> Email Address []:Error checking request extension section server >>>> >>>> Regards, >>>> >>>> Adolf. >>>> >>>> On 05/06/2024 13:26, Adolf Belka wrote: >>>>> Hi Michael, >>>>> >>>>> Here is my feedback on these three patches and the issues I found when = I tried to use them. >>>>> >>>>> I had to manually apply them so there is also the possibility that I ma= de a typo somewhere. >>>>> >>>>> On 18/04/2024 23:36, Michael Tremer wrote: >>>>>> We should not have any configuration files that we share in this place, >>>>>> therefore this patch is moving it into /usr/share/openvpn where we >>>>>> should be able to update it without any issues. >>>>>> >>>>>> Signed-off-by: Michael Tremer >>>>>> --- >>>>>> config/rootfiles/common/openvpn | 2 +- >>>>>> html/cgi-bin/ovpnmain.cgi | 2 +- >>>>>> lfs/openvpn | 6 ++++++ >>>>>> 3 files changed, 8 insertions(+), 2 deletions(-) >>>>>> >>>>>> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common= /openvpn >>>>>> index d9848a579..c0d49bfad 100644 >>>>>> --- a/config/rootfiles/common/openvpn >>>>>> +++ b/config/rootfiles/common/openvpn >>>>> These changes were no problem. >>>>>> @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator >>>>>> #usr/share/doc/openvpn/openvpn.8.html >>>>>> #usr/share/man/man5/openvpn-examples.5 >>>>>> #usr/share/man/man8/openvpn.8 >>>>>> +usr/share/openvpn/openssl.cnf >>>>>> var/ipfire/ovpn/ca >>>>>> var/ipfire/ovpn/caconfig >>>>>> var/ipfire/ovpn/ccd >>>>>> @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial >>>>>> var/ipfire/ovpn/crls >>>>>> var/ipfire/ovpn/n2nconf >>>>>> #var/ipfire/ovpn/openssl >>>>>> -var/ipfire/ovpn/openssl/ovpn.cnf >>>>>> var/ipfire/ovpn/openvpn-authenticator >>>>>> var/ipfire/ovpn/ovpn-leases.db >>>>>> var/ipfire/ovpn/ovpnconfig >>>>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi >>>>>> index 9b8ff5aa5..ed80fef7d 100755 >>>>>> --- a/html/cgi-bin/ovpnmain.cgi >>>>>> +++ b/html/cgi-bin/ovpnmain.cgi >>>>> Also this change no problem. >>>>>> @@ -54,7 +54,7 @@ my %mainsettings =3D (); >>>>>> &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.= txt", \%color); >>>>>> # Use a custom OpenSSL configuration file for all operations >>>>>> -$ENV["OPENSSL_CONF"] =3D "${General::swroot}/ovpn/ca/cacert.pem"; >>>>>> +$ENV["OPENSSL_CONF"] =3D "/usr/share/openvpn/openssl.cnf"; >>>>>> ### >>>>>> ### Initialize variables >>>>>> diff --git a/lfs/openvpn b/lfs/openvpn >>>>>> index b71b4ccc9..0704aa438 100644 >>>>>> --- a/lfs/openvpn >>>>>> +++ b/lfs/openvpn >>>>> This change refused to build as it said the directory removal was for a= non empty directory. When I looked at it I believe that it needed to be diff= erent. >>>>>> @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>>>> chown root:root /etc/fcron.daily/openvpn-crl-updater >>>>>> chmod 750 /etc/fcron.daily/openvpn-crl-updater >>>>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>>>> + mkdir -pv /usr/share/openvpn >>>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>>>> + /usr/share/openvpn/ >>>>>> + rmdir -v /usr/share/openvpn >>>>>> + >>>>> >>>>> The above lines I changed to >>>>> >>>>> + # Move the OpenSSL configuration file out of /var/ipfire >>>>> + mkdir -pv /usr/share/openvpn >>>>> + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ >>>>> + /usr/share/openvpn/openssl.cnf >>>>> + rmdir -v /var/ipfire/ovpn/openssl/ >>>>> + >>>>> with my changes in the last two lines. >>>>> When I changed just the last line to start with then the openvpn lfs bu= ilt but then later on in the cdrom stage it complained about openssl.cnf not = being found, hence I also then added the change to the one before last line. >>>>> >>>>> Regards, >>>>> Adolf. >>>>> >>>>>> # Install authenticator >>>>>> install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ >>>>>> /usr/sbin/openvpn-authenticator >=20 --=20 Sent from my laptop --===============4404513277861058628==--